Aug 27 2025

The Impact of Artificial Intelligence on the Cybersecurity Workforce: NIST’s Evolving Framework

Category: AI,NIST CSFdisc7 @ 4:41 pm

Credit: NICE

1. Introduction & Context

NIST’s NICE (National Initiative for Cybersecurity Education) Workforce Framework (NICE Framework) , known as NIST SP 800-181 rev. 1, has been designed for adaptability — particularly to account for emerging technologies like artificial intelligence (AI). Strong engagement with federal agencies, industry, academia, and international groups has ensured that NICE evolves with AI developments. NICE has hosted numerous events — from webinars to annual conferences — to explore AI’s impact on cybersecurity education, workforce needs, and program design.

2. AI Security as a New Competency Area

One major evolution includes the introduction of a new AI Security Competency Area within the NICE Framework. This area will define the core knowledge and skills needed to understand how AI intersects with cybersecurity — from managing risks to leveraging opportunities. The draft competency content is open for public comment and draws on resources such as the AI Risk Management Framework (AI RMF 1.0), the NSF AI Scholarships for Service initiative, and DoD’s Cyber Workforce Framework.

3. AI’s Role in Work Roles & Skills Integration

Beyond this standalone competency, NICE aims to integrate AI-related Tasks, Knowledge, and Skill (TKS) statements into existing and newly emerging cybersecurity job roles. This includes coverage for three essential themes: (a) strategic implications of AI for organizations and legal/regulatory considerations; (b) securing AI systems against threats including misuse; and (c) enhancing cybersecurity work through AI — such as using it for threat detection and analysis.

4. Community Engagement & Feedback Mechanisms

NIST encourages public participation in shaping the evolution of the NICE Framework. Stakeholders—including federal agencies, educators, certification bodies, and private-sector groups—are invited to join forums like the NICE Community Coordinating Council, attend events, join the NICE Framework Users Group, or provide direct feedback.

5. AI’s Dual Security Role in NIST Strategy

Another dimension of NIST’s AI-focused cybersecurity efforts focuses on both securing AI (making AI systems robust against threats) and enabling security through AI (using AI to strengthen defenses). Related initiatives include developing community profiles for adapting other cybersecurity frameworks (e.g., the Cybersecurity Framework), as well as launching research tools such as Dioptra and the PETs Testbed that support evaluation of machine learning and privacy technologies.

6. Broader Vision for AI & Cybersecurity Integration

NIST’s broader vision includes aligning its AI-cybersecurity initiatives with its existing guidance (e.g., AI RMF, SSDF, privacy frameworks) and expanding into practical, operational tools and community-driven resources. The goal is a cohesive, holistic approach that supports both the defense of AI systems and the incorporation of AI into cybersecurity across organizational, national, and international levels.

7. Summary

In essence, the NIST blog outlines how AI is reshaping the cybersecurity workforce—through new competency areas, an expanded skill taxonomy, and community-driven development of training and frameworks. NIST is at the forefront of this transformation, laying essential groundwork for organizations to adapt to AI-induced changes while safeguarding both AI and the systems it interacts with.

  • Engage proactively: If you’re in the cybersecurity field—especially in education, policy, workforce development, or hiring—stay involved. Submit feedback to NIST, participate in the NICE community forums, or attend their events to help shape AI-integrated workforce standards.
  • Upskill intentionally: Incorporate AI-related skills into your training or hiring programs. Target roles that require AI literacy—such as understanding AI risks, securing AI systems, or leveraging AI for defense.
  • Emphasize both “of” and “through” AI: Ensure your workforce is prepared not only to protect AI systems (security of AI) but also to harness AI as a tool for enhancing cybersecurity (security through AI).
  • Leverage NIST tools and frameworks: Explore resources like AI RMF, SSDF profiles for generative AI, Dioptra, and PETs Testbed to inform your practices, tool selection, and workflow integration.

Source: The Impact of Artificial Intelligence on the Cybersecurity Workforce

DISC InfoSec previous posts on AI category

InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory | ISO 27k Chat bot | Comprehensive vCISO Services | ISMS Services | Security Risk Assessment Services | Mergers and Acquisition Security

Tags: Cybersecurity Workforce, NIST’s Evolving Framework

Aug 25 2025

Understand how the ISO/IEC 42001 standard and the NIST framework will help a business ensure the responsible development and use of AI

Category: AI,ISO 42001,NIST CSFdisc7 @ 10:11 pm

The ISO/IEC 42001 standard and the NIST AI Risk Management Framework (AI RMF) are two cornerstone tools for businesses aiming to ensure the responsible development and use of AI. While they differ in structure and origin, they complement each other beautifully. Here’s a breakdown of how each contributes—and how they align.

🧭 ISO/IEC 42001: AI Management System Standard

Purpose:
Establishes a formal AI Management System (AIMS) across the organization, similar to ISO 27001 for information security.

🔧 Key Components

  • Leadership & Governance: Requires executive commitment and clear accountability for AI risks.
  • Policy & Planning: Organizations must define AI objectives, ethical principles, and risk tolerance.
  • Operational Controls: Covers data governance, model lifecycle management, and supplier oversight.
  • Monitoring & Improvement: Includes performance evaluation, impact assessments, and continuous improvement loops.

✅ Benefits

  • Embeds responsibility and accountability into every phase of AI development.
  • Supports legal compliance with regulations like the EU AI Act and GDPR.
  • Enables certification, signaling trustworthiness to clients and regulators.

🧠 NIST AI Risk Management Framework (AI RMF)

Purpose:
Provides a flexible, voluntary framework for identifying, assessing, and managing AI risks.

🧩 Core Functions

FunctionDescription
GovernEstablish organizational policies and accountability for AI risks
MapUnderstand the context, purpose, and stakeholders of AI systems
MeasureEvaluate risks, including bias, robustness, and explainability
ManageImplement controls and monitor performance over time

✅ Benefits

  • Promotes trustworthy AI through transparency, fairness, and safety.
  • Helps organizations operationalize ethical principles without requiring certification.
  • Adaptable across industries and AI maturity levels.

🔗 How They Work Together

ISO/IEC 42001NIST AI RMF
Formal, certifiable management systemFlexible, voluntary risk management framework
Focus on organizational governanceFocus on system-level risk controls
PDCA cycle for continuous improvementIterative risk assessment and mitigation
Strong alignment with EU AI Act complianceStrong alignment with U.S. Executive Order on AI

Together, they offer a dual lens:

  • ISO 42001 ensures enterprise-wide governance and accountability.
  • NIST AI RMF ensures system-level risk awareness and mitigation.

visual comparison chart or a mind map to show how these frameworks align with the EU AI Act or sector-specific obligations.

mind map comparing ISO/IEC 42001 and the NIST AI RMF for responsible AI development and use:

This visual lays out the complementary roles of each framework:

  • ISO/IEC 42001 focuses on building an enterprise-wide AI management system with governance, accountability, and operational controls.
  • NIST AI RMF zeroes in on system-level risk identification, assessment, and mitigation.

AIMS and Data Governance

Navigating the NIST AI Risk Management Framework: A Comprehensive Guide with Practical Application

Building Trust with High-Risk AI: What Article 15 of the EU AI Act Means for Accuracy, Robustness & Cybersecurity

From Compliance to Confidence: How DISC LLC Delivers Strategic Cybersecurity Services That Scale

Secure Your Business. Simplify Compliance. Gain Peace of Mind

Managing Artificial Intelligence Threats with ISO 27001

DISC InfoSec previous posts on AI category

InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory | ISO 27k Chat bot | Comprehensive vCISO Services | ISMS Services | Security Risk Assessment Services | Mergers and Acquisition Security

Tags: responsible development and use of AI

Jul 03 2025

Secure Your Business. Simplify Compliance. Gain Peace of Mind

Category: Information Security,NIST CSF,NIST Privacy,Security Compliance,vCISOdisc7 @ 1:56 pm

At Deura InfoSec, we help small to mid-sized businesses navigate the complex world of cybersecurity and compliance—without the confusion, cost, or delays of traditional approaches. Whether you’re facing a looming audit, need to meet ISO 27001, NIST, HIPAA, or other regulatory standards, or just want to know where your risks are—we’ve got you covered.

We offer fixed-price compliance assessments, vCISO services, and easy-to-understand risk scorecards so you know exactly where you stand and what to fix—fast. No bloated reports. No endless consulting hours. Just actionable insights that move you forward.

Our proven SGRC frameworks, automated tools, and real-world expertise help you stay audit-ready, reduce business risk, and build trust with customers.

📌 ISO 27001 | ISO 42001 | SOC 2 | HIPAA | NIST | Privacy | TPRM | M&A
📌 Risk & Gap Assessments | vCISO | Internal Audit
📌 Security Roadmaps | AI & InfoSec Governance | Awareness Training

Start with our Compliance Self-Assessment and discover how secure—and compliant—you really are.

👉 DeuraInfoSec.comLet’s make security simple.

If you’re dealing with audits, scaling security, or just want to know how exposed your business is—we’re the no-BS partner you’ve been looking for.

✅ Big 4 experience + hands-on delivery
✅ Cyber data governance tailored to small/mid-sized orgs
✅ Practical, business-first approach to InfoSec

Next Steps: Let us prepare a customized scorecard or walk you through a free 15-minute discovery call.

Contact: info@discinfosec.com | www.discinfosec.com

Vineyard and Wineries may be at Risk

InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory | ISO 27k Chat bot | Comprehensive vCISO Services | ISMS Services | Security Risk Assessment Services | Mergers and Acquisition Security

Tags: Deura InfoSec, DISC InfoSec, Secure Your Business

Jul 01 2025

The NIST Gap Assessment Tool will cost-effectively assess your organization against the NIST SP 800-171 standard

Category: Information Security,NIST CSF,Security Toolsdisc7 @ 1:49 pm

The NIST Gap Assessment Tool is a structured resource—typically a checklist, questionnaire, or software tool—used to evaluate an organization’s current cybersecurity or risk management posture against a specific NIST framework. The goal is to identify gaps between existing practices and the standards outlined by NIST, so organizations can plan and prioritize improvements.

The NIST SP 800-171 standard is primarily used by non-federal organizations—especially contractors and subcontractors—that handle Controlled Unclassified Information (CUI) on behalf of the U.S. federal government.

Specifically, it’s used by:

  1. Defense Contractors – working with the Department of Defense (DoD).
  2. Contractors/Subcontractors – serving other civilian federal agencies (e.g., DOE, DHS, GSA).
  3. Universities & Research Institutions – receiving federal research grants and handling CUI.
  4. IT Service Providers – managing federal data in cloud, software, or managed service environments.
  5. Manufacturers & Suppliers – in the Defense Industrial Base (DIB) who process CUI in any digital or physical format.

Why it matters:

Compliance with NIST 800-171 is required under DFARS 252.204-7012 for DoD contractors and is becoming a baseline for other federal supply chains. Organizations must implement the 110 security controls outlined in NIST 800-171 to protect the confidentiality of CUI.

NIST 800-171 Compliance Checklist

1. Access Control (AC)

  • Limit system access to authorized users.
  • Separate duties of users to reduce risk.
  • Control remote and internal access to CUI.
  • Manage session timeout and lock settings.

2. Awareness & Training (AT)

  • Train users on security risks and responsibilities.
  • Provide CUI handling training.
  • Update training regularly.

3. Audit & Accountability (AU)

  • Generate audit logs for events.
  • Protect audit logs from modification.
  • Review and analyze logs regularly.

4. Configuration Management (CM)

  • Establish baseline configurations.
  • Control changes to systems.
  • Implement least functionality principle.

5. Identification & Authentication (IA)

  • Use unique IDs for users.
  • Enforce strong password policies.
  • Implement multifactor authentication.

6. Incident Response (IR)

  • Establish an incident response plan.
  • Detect, report, and track incidents.
  • Conduct incident response training and testing.

7. Maintenance (MA)

  • Perform system maintenance securely.
  • Control and monitor maintenance tools and activities.

8. Media Protection (MP)

  • Protect and label CUI on media.
  • Sanitize or destroy media before disposal.
  • Restrict media access and transfer.

9. Physical Protection (PE)

  • Limit physical access to systems and facilities.
  • Escort visitors and monitor physical areas.
  • Protect physical entry points.

10. Personnel Security (PS)

  • Screen individuals prior to system access.
  • Ensure CUI access is revoked upon termination.

11. Risk Assessment (RA)

  • Conduct regular risk assessments.
  • Identify and evaluate vulnerabilities.
  • Document risk mitigation strategies.

12. Security Assessment (CA)

  • Develop and maintain security plans.
  • Conduct periodic security assessments.
  • Monitor and remediate control effectiveness.

13. System & Communications Protection (SC)

  • Protect CUI during transmission.
  • Separate system components handling CUI.
  • Implement boundary protections (e.g., firewalls).

14. System & Information Integrity (SI)

  • Monitor systems for malicious code.
  • Apply security patches promptly.
  • Report and correct flaws quickly.

The NIST Gap Assessment Toolkit will cost-effectively assess your organization against the NIST SP 800-171 standard. It will help you to:

  • Understand the NIST SP 800-171 requirements for storing, processing, and transmitting CUI (Controlled Unclassified Information)
  • Quickly identify your NIST SP 800-171 compliance gaps
  • Plan and prioritise your NIST SP 800-171 project to ensure data handling meets U.S. DoD (Department of Defense) requirements

NIST 800-171: System Security Plan (SSP) Template & Workbook

InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory | ISO 27k Chat bot | Comprehensive vCISO Services | ISMS Services | Security Risk Assessment Services | Mergers and Acquisition Security

Tags: NIST Gap Assessment Tool, NIST SP 800-171

Jan 20 2025

NIST CSF vs ISO 27001 comparison

Category: ISO 27k,NIST CSFdisc7 @ 9:55 pm

This table highlights the key differences between NIST CSF and ISO 27001:

  1. Scope:
    • NIST CSF is tailored for U.S. federal agencies and organizations working with them.
    • ISO 27001 is for any international organization aiming to implement a strong Information Security Management System (ISMS).
  2. Control Structure:
    • NIST CSF offers various control catalogues and focuses on three core components: the Core, Implementation Tiers, and Profiles.
    • ISO 27001 includes Annex A, which outlines 14 control categories with globally accepted best practices.
  3. Audits and Certifications:
    • NIST CSF does not require audits or certifications.
    • ISO 27001 mandates independent audits and certifications.
  4. Customization:
    • NIST CSF has five customizable functions for organizations to adapt the framework.
    • ISO 27001 follows ten standardized clauses to help organizations build and maintain their ISMS.
  5. Cost:
    • NIST CSF is free to use.
    • ISO 27001 requires a fee to access its standards and guidelines.

In summary, NIST CSF may be flexible and free, whereas ISO 27001 provides a globally recognized certification framework for robust information security.

The Real Reasons Companies Get ISO 27001 Certified 

Compliance per Category ISO 27002 2022

Why Your Organization Needs ISO 27001 Amid Rising Risks

10 key benefits of ISO 27001 Cert for SMBs

ISO 27001: Building a Culture of Security and Continuous Improvement

Penetration Testing and ISO 27001 – Securing ISMS

Secure Your Digital Transformation with ISO 27001

Significance of ISO 27017 and ISO 27018 for Cloud Services

The Risk Assessment Process and the tool that supports it

What is the significance of ISO 27001 certification for your business?

ISO 27k Chat bot

Pragmatic ISO 27001 Risk Assessments

ISO/IEC 27001:2022 – Mastering Risk Assessment and the Statement of Applicability

Risk Register Templates: Asset and risk register template system for cybersecurity and information security management suitable for ISO 27001 and NIST

ISO 27001 implementation ISO 27002 ISO 27701 ISO 27017 ISO27k

How to Address AI Security Risks With ISO 27001

How to Conduct an ISO 27001 Internal Audit

4 Benefits of ISO 27001 Certification

How to Check If a Company Is ISO 27001 Certified

How to Implement ISO 27001: A 9-Step Guide

ISO 27001 Standard, Risk Assessment and Gap Assessment

ISO 27001 standards and training

What is ISO 27002:2022

Previous posts on ISO 27k

Securing Cloud Services: A pragmatic guide

ISO 27001/2 latest titles

A Comprehensive Guide to the NIST Cybersecurity Framework 2.0: Strategies, Implementation, and Best Practice

CIS Controls in Practice: A Comprehensive Implementation Guide

InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory | ISO 27k Chat bot | Comprehensive vCISO Services | ISMS Services | Security Risk Assessment Services

Tags: iso 27001, NIST CSF

Jan 16 2025

7 steps for evaluating, comparing, and selecting frameworks

Category: ISO 27k,NIST CSF,NIST Privacy,vCISOdisc7 @ 11:38 am

7 steps for evaluating, comparing, and selecting frameworks:

  1. Identify frameworks that align with regulatory compliance requirements.
  2. Assess the organization’s risk appetite and select frameworks that align with its strategic goals.
  3. Compare your organization to others in the industry to determine the most commonly used frameworks and their relevance.
  4. Choose frameworks that can scale as the business grows.
  5. Select frameworks that help the organization better align with its clients.
  6. Conduct a cost analysis to assess the feasibility of implementing the framework(s).
  7. Determine whether the framework can be implemented in-house or if external guidance is needed.

This process helps organizations select the most suitable framework for their needs and long-term.

Why Your Organization Needs ISO 27001 Amid Rising Risks

10 key benefits of ISO 27001 Cert for SMBs

ISO 27001: Building a Culture of Security and Continuous Improvement

Penetration Testing and ISO 27001 – Securing ISMS

Secure Your Digital Transformation with ISO 27001

Significance of ISO 27017 and ISO 27018 for Cloud Services

The Risk Assessment Process and the tool that supports it

What is the significance of ISO 27001 certification for your business?

ISO 27k Chat bot

Pragmatic ISO 27001 Risk Assessments

ISO/IEC 27001:2022 – Mastering Risk Assessment and the Statement of Applicability

Risk Register Templates: Asset and risk register template system for cybersecurity and information security management suitable for ISO 27001 and NIST

ISO 27001 implementation ISO 27002 ISO 27701 ISO 27017 ISO27k

How to Address AI Security Risks With ISO 27001

How to Conduct an ISO 27001 Internal Audit

4 Benefits of ISO 27001 Certification

How to Check If a Company Is ISO 27001 Certified

How to Implement ISO 27001: A 9-Step Guide

ISO 27001 Standard, Risk Assessment and Gap Assessment

ISO 27001 standards and training

What is ISO 27002:2022

Previous posts on ISO 27k

Securing Cloud Services: A pragmatic guide

ISO 27001/2 latest titles

A Comprehensive Guide to the NIST Cybersecurity Framework 2.0: Strategies, Implementation, and Best Practice

CIS Controls in Practice: A Comprehensive Implementation Guide

InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory | ISO 27k Chat bot | Comprehensive vCISO Services | ISMS Services | Security Risk Assessment Services

Tags: CIS, ISO, NIST

Nov 25 2024

Adding Value with Adding Value with Risk-Based Information Security

Category: ISO 27k,NIST CSF,Risk Assessment,Security Risk Assessmentdisc7 @ 8:27 am

The article emphasizes the importance of integrating risk management and information security management systems (ISMS) for effective IT security. It recommends a risk-based approach, leveraging frameworks like ISO/IEC 27001 and NIST Cybersecurity Framework (CSF) 2.0, to guide decisions that counteract risks while aligning with business objectives. Combining these methodologies enhances control accuracy and ensures that organizational assets critical to business goals are appropriately classified and protected.

An enterprise risk management system (ERMS) bridges IT operations and business processes by defining the business value of organizational assets. This alignment enables ISMS to identify and safeguard IT assets vital to achieving organizational objectives. Developing a registry of assets through ERMS avoids redundancies and ensures ISMS efforts are business-driven, not purely technological.

The NIST CSF 2.0 introduces a “govern” function, improving governance, priority-setting, and alignment with security objectives. It integrates with frameworks like ISO 27001 using a maturity model to evaluate controls’ effectiveness and compliance. This approach ensures clarity, reduces redundancies, and provides actionable insights into improving cybersecurity risk profiles and resilience across the supply chain.

Operationally, integrating frameworks involves a centralized tool for managing controls, aligning them with risk treatment plans (RTP), and avoiding overlaps. By sharing metrics across frameworks and using maturity models, organizations can efficiently evaluate security measures and align with business goals. The article underscores the value of combining ISO 27001’s holistic ISMS with NIST CSF’s risk-focused profile to foster continual improvement in an evolving digital ecosystem.

For example, let’s consider an elementary task such as updating the risk policy. This is part of control 5.1 of ISO27001 on information security policies. It is part of the subcategory GV.PO-01 of the NIST CSF on policies for managing cybersecurity risks, but it is also present in the RTP with regard to the generic risk of failure to update company policies. The elementary control tasks are evaluated individually. Then, the results of multiple similar tasks are aggregated to obtain a control of one of the various standards, frameworks or plans that we are considering.

Best method for evaluating the effectiveness of control activities may be to adopt the Capability Maturity Model Integration (CMMI). It is a simple model for finding the level of maturity of implementation of an action with respect to the objectives set for that action. Furthermore, it is sufficiently generic to be adaptable to all evaluation environments and is perfectly linked with gap analysis. The latter is precisely the technique suitable for our evaluations – that is, by measuring the current state of maturity of implementation of the control and comparing it with the pre-established level of effectiveness, we are able to determine how much still needs to be done.

In short, the advantage of evaluating control tasks instead of the controls proposed by the frameworks is twofold.

  • The first advantage is in the very nature of the control task that corresponds to a concrete action, required by some business process, and therefore well identified in terms of role and responsibility. In other words, something is used that the company has built for its own needs and therefore knows well. This is an indicator of quality in the evaluation.
  • The second advantage is in the method of treatment of the various frameworks. Instead of building specific controls with new costs to be sustained for their management, it is preferable to identify each control of the framework for which control tasks are relevant and automatically aggregate the relative evaluations. The only burden is to define the relationship between the companys control tasks and the controls of the chosen framework, but just once.

More details and considerations on pros and cons are described in recent ISACA Journal article, “Adding Value With Risk-Based Information Security.”

Source: National Institute of Standards and Technology, The NIST Cybersecurity Framework (CSF) 2.0, USA, 2024, https://www.nist.gov/informative-references

Information Security Risk Management for ISO 27001/ISO 27002

Information Security Risk Assessment Workshop

InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory | ISO 27k Chat bot | Comprehensive vCISO Services | ISMS Services | Security Risk Assessment Services

Tags: Risk-Based Information Security

Sep 08 2023

NIST Gap Assessment Tool

Category: NIST CSF,NIST Privacydisc7 @ 1:23 pm

The NIST Gap Assessment Tool will cost-effectively assess your organization against the NIST SP 800-171 standard. It will help you to:

  • Understand the NIST SP 800-171 requirements for storing, processing, and transmitting CUI (Controlled Unclassified Information)
  • Quickly identify your NIST SP 800-171 compliance gaps
  • Plan and prioritise your NIST SP 800-171 project to ensure data handling meets U.S. DoD (Department of Defense) requirements

Get started with your NIST SP 800-171 compliance project

The DoD requires U.S. contractors and their subcontractors to have an available assessment of their compliance with NIST SP 800-171. As part of a national movement to have a consistent approach to cybersecurity across the U.S., even organizations that store, process, or transmit unclassified and/or sensitive information must complete an assessment.

ITG NIST Gap Assessment Tool provides the assessment template you need to guide you through compliance with the DoD’s requirements for NIST SP 800-171. The tool lays out all 14 categories and 110 security controls from the Standard, in Excel format, so you can complete a full and easy-to-use assessment with concise data reporting.

What does the tool do?

  • Features the following tabs: ‘Instructions’, ‘Summary’, and ‘Assessment and SSP (System Security Plan)’.
  • The ‘Instructions’ tab provides an easy explanation of how to use the tool and assess your compliance project, so you can complete the process without hassle.
  • The ‘Assessment and SSP’ tab shows all control numbers and requires you to complete your assessment of each control.
  • Once you have completed the full assessment, the ‘Summary’ tab provides high-level graphs for each category and overall completion. Analysis includes an overall compliance score and shows the amount of security controls that are completed, ongoing, or not applied in your organization.
  • The ‘Summary’ tab also provides clear direction for areas of development and how you should plan and prioritize your project effectively, so you can start the journey of providing a completed NIST SP 800-171 assessment to the DoD.

This NIST Gap Assessment Tool is designed for conducting a comprehensive compliance assessment.  NIST SP 800-171 Assessment Tool.

The Complete DOD NIST 800-171 Compliance Manual: Comprehensive Controlled Unclassified Information (CUI) Marking & Handling Section

InfoSec tools | InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory

Tags: NIST Gap Assessment Tool, NIST SP 800-171

Aug 03 2022

NIST Gap Assessment Tool

Category: NIST CSFDISC @ 2:48 pm

NIST-Gap-Assessment-Tool-1Download

NIST 800-171a/CMMC 2.0 Self-Assessment Guide

NIST Cybersecurity Framework – A Pocket Guide

DISC InfoSec

#InfoSecTools and #InfoSectraining

#InfoSecLatestTitles

#InfoSecServices

Ask DISC an InfoSec & compliance related question

Tags: NIST 800-171, NIST Gap Assessment Tool

Feb 21 2022

New Version of the NIST CSF Tool

Category: NIST CSF,NIST PrivacyDISC @ 9:32 am
NIST CSF Tool

By John Masserini

THE NIST CSF TOOL

I am quite thrilled to announce that the long-overdue update to my NIST CSF tool V2.0 is finally done. While this new version generally looks the same as the prior one, there are substantial changes underneath which will make updating it in the future far easier.

Originally released in January of 2019, it has become the most popular page on the site, with almost 20,000 downloads. To get a full understanding of the tool, you can read the original post here which goes into great detail about why it was developed and how to use it.

After numerous requests, I have also added the NIST Privacy Framework to the tool as well. The same logic has been applied here as to the CSF side – it’s just as, or perhaps even more, important to measure what you do (your practices) against what you say you do (your policies) when it comes to Privacy as it is Security.

As always, I welcome suggestions and feedback. The email to reach me is in the worksheet.

You can find the new version on the Downloads page.

NIST Cybersecurity Framework: A pocket guide 

Tags: NIST CSF Tool

Jan 12 2022

NIST Cybersecurity Framework (CSF)

Category: Information Security,NIST CSFDISC @ 10:34 am

NIST-Cybersecurity-Framework-CSF-1Download

NIST Cybersecurity Framework – A Pocket Guide

NIST Cybersecurity Framework - A Pocket Guide

Tags: CSF, NIST Cybersecurity Framework

Mar 11 2021

Get More Value from NIST CSF, MITRE ATT&CK and COSO ERM with RiskLens

Category: Attack Matrix,NIST CSFDISC @ 11:13 pm
Get More Value from NIST CSF, MITRE ATT&CK and COSO ERM with RiskLens

MITRE ATT&CK matrices

MITRE ATT&CK is a tool to help cybersecurity teams get inside the minds of threat actors to anticipate their lines of attack and most effectively position defenses. MITRE ATT&CK works synergistically with FAIR to refine a risk scenario (“threat actor uses a method to attack an asset resulting in a loss”).

Enter an asset into the MITRE ATT&CK knowledge base and it returns a list of likely threat actors and their methods to inform a risk scenario statement. It also helps to fill in color and detail for the FAIR factors, such as the relative strength of threat actors likely to go after an asset or the resistance strength of the controls around the asset, as well as the frequency of attack one might expect from these actors, based on internal or industry data (housed in the Data Helpers and Loss Tables on the RiskLens platform). All these are ultimately fed into the Monte Carlo simulation engine to show probable loss exposure for the scenario. The data we collect on our assets and threat actors can be stored in libraries on the platform for repeat use.

MITRE ATT&CK also suggests controls for mitigation efforts specific to attacks. As with the controls suggested by NIST CSF, we can assess those in the platform for cost-effectiveness in risk reduction in financial terms.

Finally, RiskLens + MITRE ATT&CK can help refine tactics for the first line of defense. With a clear sense of top risk scenarios generated by RiskLens, and a clear sense of attack vectors for those scenarios, the SOC can better prioritize among the many incoming alerts based on potential bottom-line impact.

Tags: MITRE ATT&CK

Nov 18 2020

Senate passes bill to secure internet-connected devices against cyber

Category: NIST CSF,NIST PrivacyDISC @ 11:40 pm

The Senate this week unanimously passed bipartisan legislation designed to boost the cybersecurity of internet-connected devices.

The Senate passes a bill that would require all internet-connected devices purchased by the US government to comply with NIST’s minimum security recommendations

The Internet of Things Cybersecurity Improvement Act would require all internet-connected devices purchased by the federal government — such as computers and mobile devices — to comply with minimum security recommendations issued by the National Institute of Standards and Technology.

The bill would require private sector groups providing devices to the federal government to notify agencies if the internet-connected device has a vulnerability that could leave the government open to attacks.

The legislation, which the Senate advanced on Tuesday, was passed unanimously by the House in September. It now heads to President Trump for a signature.

“Most experts expect tens of billions of devices operating on our networks within the next several years as the Internet of Things (IoT) landscape continues to expand,” Gardner noted in a separate statement. “We need to make sure these devices are secure from malicious cyber-attacks as they continue to transform our society and add countless new entry points into our networks. Ensuring that our government has the capabilities and expertise to help navigate the impacts of the latest technology will be important in the coming years and decades.”

Source: Senate passes bill to secure internet-connected devices against cyber










Dec 07 2019

NIST CyberSecurity Framework and ISO 27001

Category: Information Security,ISO 27k,NIST CSFDISC @ 6:54 pm

NIST CyberSecurity Framework and ISO 27001

[pdf-embedder url=”https://blog.deurainfosec.com/wp-content/uploads/2019/12/NIST_ISO_Green_Paper_NEW_V3___Final_Edits.pdf”]

How to get started with the NIST Cybersecurity Framework (CSF) – Includes Preso

Written Information Security Program (WISP) – ISO 27002, NIST Cybersecurity Framework & NIST 800-53
httpv://www.youtube.com/watch?v=B8QjwD6f4rc

What is ISO 27001?
httpv://www.youtube.com/watch?v=AzSJyfjIFMw

Virtual Session: NIST Cybersecurity Framework Explained
httpv://www.youtube.com/watch?v=nFUyCrSnR68





Enter your email address:

Delivered by FeedBurner




Tags: iso 27001, NIST CSF, NIST RMF

Oct 14 2019

The best practice guide for an effective infoSec function

Category: cyber security,Information Security,ISO 27k,NIST CSF,Risk AssessmentDISC @ 10:48 am

Building ISMS

The best practice guide for an effective infoSec function: iTnews has put together a bit of advice from various controls including ISO 27k and NIST CSF to guide you through what’s needed to build an effective information security management system (ISMS) within your organization.

This comprehensive report is a must-have reference for executives, senior managers and folks interested in the information security management area.

 

Practice Guide

Open a PDF file The best practice guide for an effective infoSec function.

How to Build a Cybersecurity Program based on the NIST Cybersecurity Framework
httpv://www.youtube.com/watch?v=pDra0cy5WZI

Beginners ultimate guide to ISO 27001 Information Security Management Systems
httpv://www.youtube.com/watch?v=LytISQyhQVE

Conducting a cybersecurity risk assessment


Subscribe to DISC InfoSec blog by Email




Tags: isms

Sep 21 2019

How to get started with the NIST Cybersecurity Framework (CSF) – Expel

Category: NIST CSF,Security ComplianceDISC @ 11:02 am

We give you a quick tour of the NIST Cybersecurity framework and describe how you can baseline your efforts in a couple of hours. So check it out.

Source: How to get started with the NIST Cybersecurity Framework (CSF) – Expel

The CyberSecurity Framework Ver 1.1 Preso
[pdf-embedder url=”https://blog.deurainfosec.com/wp-content/uploads/2019/09/NIST-CSF-1.1-preso.pdf” title=”NIST CSF 1.1 preso”]

Virtual Session: NIST Cybersecurity Framework Explained
httpv://www.youtube.com/watch?v=nFUyCrSnR68

CSS2017 Session 14 SANS Training – NIST Cyber Security Framework
httpv://www.youtube.com/watch?v=I-s4bAzH7t0

Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certification | Edureka
httpv://www.youtube.com/watch?v=uk8-jJgu8-I

Free PDF download: NIST Cybersecurity Framework and ISO 27001 | IT Governance USA


Subscribe to DISC InfoSec blog by Email




Tags: NIST CSF